Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

The FaaS and the Curious

Despite Amazon’s diligent efforts to secure their Lambda FaaS platform, its intended ability to access a variety of resources and services can be abused for unintended results. This presentation explores the attack surface of the AWS Lambda FaaS platform and how it can be surreptitiously used to circumvent security controls. Specifically, it will demonstrate how to hijack and impersonate Lambda functions, gain persistent remote access to the AWS cloud environment, and reverse engineer the Lambda runtime environment itself.

6.
AWS Services
A serverless compute service that runs your code in response to events and
automatically manages the underlying compute resources for you. You can use AWS
Lambda to extend other AWS services with custom logic, or create your own back-
end services that operate at AWS scale, performance, and security.
Lambda Overview

7.
AWS Services
A serverless compute service that runs your code in response to events and
automatically manages the underlying compute resources for you. You can use AWS
Lambda to extend other AWS services with custom logic, or create your own back-
end services that operate at AWS scale, performance, and security.
Lambda Overview

11.
AWS Services
Identity and Access Management enables you to securely control access to AWS
services and resources for your users. Using IAM, you can create and manage AWS
users and groups, and use permissions to allow and deny their access to AWS
resources.
IAM Overview

12.
AWS Services
IAM Attributes
User
» A person or service for interacting with AWS console, API, CLI
» Authenticated with name, password, access keys
» Created with no permissions by default
Group
» A collection of IAM users with common permissions
» Administrative convenience for granting and revoking access

15.
Attack Vectors
All attack vectors shown assume applicable permissions have been granted through
IAM roles and policies.
Because of IAM policy granularity, esoteric nature, and deny-by-default model, it is
not unusual for permissions to be lax.
Culprits include serverless web service frameworks, automation tools, third party
solutions, and untrained cloud administrators.
Disclaimer

17.
Attack Vectors
» Where are credentials stored?
» How can credentials be abused?
» What is the operating system?
» How is the network configured?
» What are the file system permissions?
» Which processes are running?
» How is our code bootstrapped?
» What data can we control?
» How can we change the runtime execution flow?
Curious Minds Want to Know…